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Source of intervention: Legislative 
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Summary: intervention and options 


What is the problem under consideration? Why is regulatory action or 
intervention necessary? 


The Information Commissioner was required to prepare a Direct Marketing 
Code (the code) under section 122 of the Data Protection Act 2018 (DPA 2018) 
to provide practical guidance in relation to the carrying out of direct marketing 
in accordance with the requirements of data protection legislation and the 
Privacy and Electronic Communications Regulations (PECR) 2003, and such 
other guidance as he considers appropriate to promote good practice in direct 
marketing. However, given there are likely to be changes to privacy legislation 
in the near future, as indicated in the Data Protection and Digital Information 
Bill, we are instead publishing the code as guidance. This is to ensure that 
organisations have guidance to help them comply now rather than waiting for 
new legislation to be in force. 


What policy options have been considered, including any alternatives 
to regulation? Please justify preferred option (further details in 
Evidence Base) 


The original rationale for the guidance was in s122 DPA 2018. At that point, as 
the code and its remit was mandated by Parliament in s122 DPA 2018, it was 
not appropriate for the Commissioner to consider any alternative course of 
action. To the extent that the Commissioner had discretion about which issues 
to cover or how to interpret them within the guidance, these are described in 
the body of this assessment. 


Will the intervention be reviewed? 


The guidance and subsequent code will be kept under review in line with good 
regulatory practice, with s122(2) DPA 2018 allowing the Information 
Commissioner to make amendments or lay a replacement once a code is 
published. 
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Executive summary 


This impact assessment sets out the benefits and costs associated with the 
Information Commissioner’s Office (ICO) direct marketing guidance. It draws on 
evidence including desk-based research, responses to an initial call for views, 
responses to our consultation and previous ICO impact assessment analysis. 


The impact assessment recognises the benefits of compliant direct marketing to 
the economy, potential data protection harms that can come about through non- 
compliant direct marketing activity and market failures relating to these 
activities. 


Background 


The direct marketing code (the code) is a statutory code of practice prepared 
under section 122 (s122) of the Data Protection Act 2018 (DPA 2018). Since 
DPA 2018 came into force, there has been a consultation and a bill proposing 
changes to privacy legislation.! To allow time for the bill’s passage to conclude 
whilst still providing regulatory certainty to organisations, we are publishing the 
code as guidance. This guidance forms the basis for the code once the changes 
to the legislation are confirmed. 


The key outcomes of the guidance are intended to be: 


e the provision of practical guidance for organisations on the law and good 
practice in relation to direct marketing; 


e a better understanding by organisations of how to conduct direct 
marketing activities fairly and transparently; 


e an increased level of public trust about how organisations use their data; 
and 


e economic and societal benefits from effective, compliant direct marketing. 


The original rationale for the guidance was in the statutory duty to produce a 
code. However, beyond this, the guidance is likely to reduce the risk and 
severity of data protection harms and wider harms related to the Privacy and 
Electronic Communications Regulations (PECR). It is also well-aligned with 
government policy and industry codes. Taken together, there are strong reasons 
for the guidance. 


Direct impacts 


Direct incremental costs of the guidance are limited in that many of the 
requirements set out in the guidance are part of existing legislation that 
organisations and those engaging in direct marketing must already comply with. 


1 Data Protection and Digital Information Bill 2022, available at:https://bills. parliament.uk/bills/3322, accessed 
14 December 2022. 
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The main direct impacts assessed are the costs and benefits to controllers of 
familiarising themselves with the guidance. The cost of familiarisation to data 
controllers in terms of the time taken to read through the relevant materials is 
indicatively estimated at £51.6 million to £75.1 million. The benefits are 
achieved through helping controllers to comply more easily with existing 
legislation. These impacts are considered to be an inevitable consequence of DPA 
2018 and the UK GDPR and are therefore not attributable to the guidance itself. 


Indirect impacts 


The indirect impacts are those that come about through a change in behaviour 
or reallocation of resources following implementation of the guidance.? Although 
it is not possible to rule out indirect costs resulting from the guidance, it is 
difficult to identify any that are likely to bring about significant indirect 
incremental impacts. As such, the assessment focuses on the potential indirect 
benefits. The main potential indirect benefits considered are: 


e Increased confidence: by providing greater regulatory certainty and 
clarity, organisations should feel more confident in processing personal 
data for the purposes of direct marketing which could unlock opportunities 
for growth and innovation. Increased accountability could also result in 
higher public trust, reducing chilling effects on product or service 
engagement. 


e Reduction of data protection harms related to direct marketing: the 
guidance is likely to contribute to reducing the risk and severity of 
relevant harms by encouraging organisations to comply and demonstrate 
accountability. 


Conclusion 


The guidance has a strong rationale and aligns well with relevant policy. 
Although quantification of all costs and benefits has not been possible and there 
are significant uncertainties as to the scale and scope of impacts, the analysis 
demonstrates that there are limited direct incremental impacts from the 
guidance. Where the guidance has the potential to generate incremental 
impacts, it is through its indirect impacts. The analysis demonstrates the 
potential for the guidance to drive significant benefits through increased 
confidence in direct marketing and reductions in data protection harms. These 
benefits are likely to substantially outweigh any potential costs. 


2 Further discussion on direct and indirect impacts can be found in: Regulatory Policy Committee, RPC case 
histories - direct and indirect impacts (2019). 
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1. Background 


1.1. Problem under consideration and rationale for 
intervention 


This section provides: 


e an overview of the context of the guidance; 
e an overview of the benefits of compliant direct marketing to the economy; 


e examples of potential data protection harms that can come about through 
non-compliant direct marketing activity; and 


e relevant market failures relating to these activities. 


1.1.1. The direct marketing guidance 


The Information Commissioner’s Office (ICO) is committed to producing a direct 
marketing code of practice. The direct marketing code (the code) is a statutory 
code of practice prepared under section 122 (s122) of the Data Protection Act 
(DPA 2018)*. The ICO produced a draft code for consultation in January 2020. 
Since then, there has been a consultation and a bill proposing changes to 
privacy legislation.? It is important for the ICO to give organisations regulatory 
certainty. Given the proposed legislation could potentially lead to substantial 
changes to privacy in the near future, we are instead publishing the code as 
guidance, as it is not appropriate to publish the code while there is uncertainty. 
This means that organisations will have guidance to help them comply for now 
rather than waiting for the new legislation to be in force. This guidance will form 
the basis for the code once the changes to the legislation are confirmed. 


The guidance replaces the old non-statutory direct marketing guidance? issued 
by the ICO. In addition, it reflects changes in the type and amount of direct 
marketing activity conducted by organisations. 


The ICO has therefore prepared the updated direct marketing guidance to 
provide practical direction to organisations when carrying out direct marketing. 
The guidance covers the requirements of the data protection legislation and e- 
privacy legislation and such other guidance as the ICO considers appropriate to 
promote good practice in direct marketing. The guidance does not impose any 
requirements additional to those in the legislation. It will help organisations to 
comply with their legal obligations under the UK General Data Protection 


3 DPA 2018, available at: https://www.legislation.gov.uk/ukpga/2018/12/section/122/enacted, accessed 14 
December 2022. 

4 Data Protection and Digital Information Bill 2022, available at: https://bills.parliament.uk/bills/3322, 
accessed 14 December 2022. 

5 ICO 2018, Direct marketing guidance (ico.org.uk). 
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Regulation (UK GDPR)®, the DPA 20187 and the Privacy and Electronic 
Communications Regulations 20038 (as amended) (PECR). 


High level objectives of the guidance 
Bearing in mind the requirements set out above, the key outcomes of the 
guidance are intended to be: 
e the provision of practical guidance for organisations on the law and good 
practice in relation to direct marketing; 


e a better understanding by organisations of how to conduct direct 
marketing activities fairly and transparently; 


e an increased level of public trust about how organisations use their data; 
and 


e economic and societal benefits from effective, compliant direct marketing. 


Policy alignment 


An important part of the context for the guidance and its objectives is its 
alignment with relevant government policy and other rules and industry 
standards. The table below sets out some of the most relevant examples and 
outlines alignment with the guidance. 


Table 1: Policy alignment 


Policy, regulation 
or code Direct marketing guidance alignment 


Department for Culture, The guidance has been developed with a focus on 

Media and Sport (DCMS), reducing the burden to businesses and other 

National Data Strategy, organisations whilst promoting the benefits of 

2020° responsible use of data. This aligns well with the 
objectives of the strategy. 


Communications Act The guidance promotes many of the regulatory 
20031º objectives of the Act such as regulations around 


$ Regulation (EU) 2016/679 of the European Parliament and of the Council 2016, available at: 
https://www.legislation.gov.uk/eur/2016/679/contents, accessed 14 December 2022. The GDPR is retained in 
domestic law now the transition period has ended, but the UK has the independence to keep the framework 
under review. The UK GDPR sits alongside an amended version of the DPA 2018. See here for more 
information: https://ico.org.uk/for-organisations/dp-at-the-end-of-the-transition-period/data-protection-now- 
the-transition-period-has-ended/the-qdpr, accessed 14 December 2022 

7 DPA 2018, available at: https://www.legislation.gov.uk/ukpga/2018/12/section/122/enacted, accessed 14 
December 2022 

8 The Privacy and Electronic Communications (EC Directive) Regulations 2003, available at: 
https://www.legislation.gov.uk/uksi/2003/2426/contents, accessed 14 December 2022 

° DCMS (2020): https://www.gov.uk/government/publications/uk-national-data-strategy/national-data- 
strategy 

10 Communications Act 2003, available at: https://www.legislation.gov.uk/ukpga/2003/21/contents, accessed 
14 December 2022 
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Advertising Standards 


silent and nuisance calls. 


The CAP promotes compliance through its central 


Authority (ASA), UK Code 
of Non-Broadcast 
Advertising, Sales 
Promotion and Direct 
Marketing (CAP), 2010?! 


Data & Marketing 


principle of legal, decent, honest and truthful 
marketing communications. It also specifically 
references guidance available from the ICO to aid 
compliance with data protection legislation. The 
guidance aligns well with this and specifically 
references the ASA and the CAP. 


The DMA Code focuses on five key principles: 


Association (DMA) Codet? 


The Consumer Protection 


putting your customer first, respect privacy, be 
honest and fair, be diligent with data, and take 
responsibility. All of which align well with the 
objectives of the guidance. 


The guidance aligns well with the regulatory 


from Unfair Trading 
Regulations 2008? 


objectives, particularly those around unfair, 
misleading or aggressive marketing practices. 


As demonstrated in the table above, the guidance aligns well with relevant 
policy, rules and industry standards. 


1.1.2. Direct marketing in the economy 


Direct marketing plays a significant role in the economy. The main function of 
marketing is to inform, influence or attract consumers to products, services, 
aims or ideals, whether they be commercial, charitable or public. For the 
purposes of this assessment, where we refer to products and services, this also 
includes aims and ideals. Likewise, where we refer to suppliers, this includes 
both suppliers of products and services and promoters of aims and ideals. Whilst 
it is recognised that direct marketing is designed to benefit suppliers of products 
and services, there are potential benefits for consumers and wider society. 


The main mechanism for benefits to accrue to society is where there is 
incomplete information, and marketing materials are accurate, the direct 
marketing activities can help to fill the information gap. Three examples of this 


are as follows: 


e New products and services: direct marketing can make consumers aware 
of products and services that they then derive benefits from. 


11 ASA (2010): https://www.asa.org.uk/static/47eb51e7-028d-4509-ab3c0f4822c9a3c4/The-Cap-code.pdf , 


accessed 14 December 2022. 


12 Data & Marketing Association Code, available at: https://dma.org.uk/uploads/misc/dma-code-v7.pdf, 


accessed 14 December 2022. 


13 The Consumer Protection from Unfair Trading Regulations 2008, available at: 
https://www.legislation.gov.uk/uksi/2008/1277/contents/made, accessed 14 December 2022. 
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e Alternative products and services: direct marketing can make consumers 
aware of better quality products and services that increase the benefits 
derived. 


e Alternative suppliers: direct marketing can make consumers aware of 
alternative suppliers that provide better or cheaper products and services. 


Furthermore, where direct marketing serves to provide information on a product 
or service's price or quality, it can help to increase competition in markets 
incentivising suppliers to reduce prices or increase the quality of products and 
services. 


Given direct marketing can be carried out both in-house or through external 
suppliers, it is difficult to estimate the size of industry. It is also difficult to 
separate out direct marketing from marketing activity more generally. As such 
the analysis below is high level but provides some context. 


There are 58,300 businesses registered with Companies House whose main 
activities involve marketing and advertising. This makes up 1.2% of all active 
businesses on the register. 4 


According to DCMS data, there were 229,000 people working for companies that 
identify their main activity as Advertising and Marketing in March 2022. 
However, this does not include advertising and marketing professionals that 
work in companies with other functions. +> 16 


Office for National Statistics (ONS) data show there were 549,400 people 
employed in advertising and marketing related professions across the UK 
economy in 2021, equivalent to 1.7% of the total number of employees in the 
UK.?7 


1.1.3. Data protection harms related to the processing of personal data for 
the purposes of direct marketing 


As noted in the section above, direct marketing is an important part of the 
economy and wider society. Here, we outline some of the potential data 
protection harms that can arise through direct marketing activities, particularly 
non-compliant activities. 


14 ICO analysis of Companies House Data (May 2022), available at: 
http://download.companieshouse.gov.uk/en output.html,. Analysis of SIC codes 70210, 7311, 7312. 

15 DCMS (April 2021 - March 2022): https://www.gov.uk/government/statistics/dcms-sector-economic- 
estimates-employment-apr-2021-mar-2022 table 2, ‘Advertising and marketing’. 

16 Note that this includes those working on marketing activities that are more general rather than specifically 
direct marketing. 

17 ONS (2022), Annual Population Survey - Employment by Occupation, Analysis of SOC: 1132; 1134; 2472; 
2473; 3543. 
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The harm to individuals’ rights and freedoms can vary in degree and type. In line 
with damages, as described in Article 82 of the UK GDPR?8, harms can include: 


e physical harm: physical injury or other harms to physical health; 


e material harm: harms that are more easily monetised such as financial 
harm; or 


e non-material harm: less tangible harms such as distress. 


This means that harm can arise from actual damage and more intangible harm, 
including any significant economic or social disadvantage. Of course, harms may 
also fall into more than one of these categories. 


Harms have the potential to affect different groups within society in different 
ways, creating distributional impacts. This can mean that harms are exacerbated 
for more vulnerable or harder-to-reach groups or communities. 


There may be a harmful impact on wider society. For example, unfair or unlawful 
processing of personal data for the purposes of direct marketing may lead to a 
loss of public trust. Ultimately, this undermines the important role that direct 
marketing serves in our economy. 


We have identified some relevant examples of harms that occur when personal 
data is processed for the purposes of direct marketing using desk-based 
research. Direct marketing is not always the main or sole contributor to the 
harm and the harms can occur as both a direct or indirect result of the activity. 
These examples are illustrative only and should not be viewed as an exhaustive 
or hierarchical list. 


Bodily or emotional harm 


Where direct marketing becomes a significant nuisance, it can become 
distressing, particularly where vulnerable individuals are involved. For example, 
unwanted direct marketing targeted at older people can lead to distress. 
Targeting direct marketing to those that have suffered a loss or tragedy can also 
cause significant distress. This can happen as a result of incorrect or out of date 
records. 


Example: predatory marketing calls 


The ICO fined five companies a total of £405,000 for making over 750,000 
unwanted direct marketing calls targeted at older, vulnerable people. 
Complainants reported feeling frightened, anxious and distressed by the 
aggressive tactics used to sell insurance, white goods and other household 


18 Regulation (EU) 2016/679 of the European Parliament and of the Council 2016, available at: 
https://www legislation.gov.uk/eur/2016/679/article/82, accessed 1% August 2022. 
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products and services. !º 


Financial harm 


In some circumstances direct marketing activity could lead to loss of income. 
Examples of how this could occur are where personal data is used to target 
those in financial difficulty with direct marketing for high interest loans or 
gambling material is targeted towards those with gambling addiction problems. 


Example: Bonne Terre Ltd 


The Gambling Commission has been working with industry to ensure paid for 
adverts are targeted away from vulnerable groups. In 2022, Bonne Terre Limited 
were fined £1.17m by the Gambling Commission for sending promotional emails 
to customers who had self-excluded or opted out of receiving marketing. Action 
was taken in recognition that excluded customers were likely to be suffering 
from gambling harm.?° 


Discriminatory harm 


Where direct marketing uses or infers information on protected characteristics, 
either directly or indirectly, to target individuals, this can lead to discriminatory 
harms. One example could be where direct marketing uses profiling. The use of 
profiling could potentially lead to certain groups of people missing out on offers 
or products and services or being offered higher prices than others. This can be 
particularly impactful for services that have a significant impact on quality of life. 
It could also lead to groups of people receiving disproportionately greater 
volumes of nuisance marketing. 


More generally, a key principle under the UK GDPR is that processing of personal 
data is minimised. This includes not processing irrelevant or excessive personal 
data. Personal data must also be accurate and processing of personal data must 
be fair and lawful. Special category data includes personal data revealing or 
concerning information about racial or ethnic origin, or religious or philosophical 
beliefs. This type of data needs more protection because it is particularly 
sensitive. 


Loss of control of personal data 


Personal data can be collected for a particular purpose and then used for 
another. Where this was not clear when the data was collected or people are not 


19 TCO (2022): https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2022/03/ico-takes-action- 
against-companies-over-predatory-marketing-calls-targeting-elderly-vulnerable-people, accessed 14 December 
2022 

20 Gambling Commission (2022): https://www.gamblingcommission.gov.uk/news/article/gbp1-17m-fine-for- 
marketing-to-vulnerable-consumers, accessed 14 December 2022. 
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fully aware of how their data is being used and shared, this can lead to feeling a 
lack of control. This loss of control can lead to anxiety and an inability to manage 
risk. The Data and Marketing Association Code requires members to be clear, 
open and transparent in their engagement with consumers. 7?! 


Example: Loss of control over targeting algorithms 


When Annie became pregnant in 2019 her social media feeds filled with ads for 
baby products, prams and parenting groups. Annie suffered the bereavement of 
a lost pregnancy, but continued to see targeted ads. Despite attempts to stop 
being targeted with the ads, they kept appearing causing considerable distress 
every time Annie went online. 2 


Societal harms 


Given the wide scale use of direct marketing, there is the potential for harms to 
arise at a societal level. Examples of this could be where people avoid accessing 
services or purchasing products because of a fear of harms related to targeted 
direct marketing. On a larger scale, this could lead to negative economic impacts 
or a reduction in the effectiveness of public services. 


1.1.4. Summary of rationale for intervention 


The original rationale for the guidance was in the statutory duty to produce a 
code (s122 DPA 2018). However, beyond this, the guidance is likely to reduce 
the risk and severity of data protection harms and wider harms related to PECR. 
It is also well-aligned with government policy and industry codes. Taken 
together, there are strong reasons for the guidance, despite it currently not 
having statutory code status. 


1.2. Approach to the guidance 


The development of the guidance was supported by a substantial body of 
evidence including extensive consultation. A call for views commenced in 
November 2018 to inform the initial drafting of the guidance, for which 104 
responses were received.” This was then followed by a public consultation on a 
draft code, concluding in March 2020 for which there were 148 responses. ?4 
Respondents included stakeholders from industry, the public sector and the third 
sector as well as members of the public. 


21 DMA Code, available at: https://dma.org.uk/uploads/misc/dma-code-v7.pdf , accessed 14 December 2022. 
22 Huffington Post (2019), available at: https://www.huffingtonpost.co.uk/entry/women-affected-by- 
miscarriage-and-infertility-are-being-targeted-with-baby-ads-on-facebook uk 5d7f7c42e4b00d69059bd88a, 
accessed 14 December 2022. 

23 ICO (2019): https://ico.org.uk/about-the-ico/responses-to-the-call-for-views-on-the-direct-marketing-code- 
of-practice/. 

24 ICO, available at: https://ico.org.uk/for-organisations/guide-to-data-protection/key-dp-themes/direct- 
marketing, accessed 14 December 2022. 
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Key themes from the consultation included: 


e clarity and ease of understanding; 
e level of detail; 
e the issues and areas covered; and 


e ease of finding information. 


The comments received were reviewed and fed into the approach for the final 
draft of the guidance to ensure it considered the needs of stakeholders. 


1.3. Scope of the guidance 


The guidance focuses on direct marketing. Direct marketing is given a formal 
definition within s122(5) of the DPA 2018 as meaning “the communication (by 
whatever means) of advertising or marketing material which is directed to 
particular individuals”. 


Direct marketing includes the promotion of aims and ideals as well as advertising 
goods or services. Any method of communication which is directed to particular 
individuals could constitute direct marketing. Direct marketing purposes include 
all processing activities that lead up to, enable or support the sending of direct 
marketing. 


1.4. Affected groups 


Direct marketing activities are undertaken by a range of organisations and 
individuals across the economy. Direct marketing can be carried out both in- 
house or through external suppliers and for a variety of reasons. It would be 
reasonable to assume that all organisations engage in or procure some form of 
marketing at some point and that may involve direct marketing. As such, it is 
difficult to accurately scope the industry and those most likely to be affected by 
the guidance. 


1.4.1. Individuals whose data is used for direct marketing purposes 


As explained above we assume that the number of individuals directly affected 
by direct marketing to be the whole of the UK population.?° According to the 
latest estimates from the ONS, the population of the UK stood at around 67.1 
million in 2020.26 


In the absence of robust data, we are unable to say what proportion of this 
population is more or less likely to be impacted (positively and negatively) by 
direct marketing or the guidance. As such, we are unable to provide detailed 
analysis of distributional impacts. However, where certain impacts are more or 


25 Although direct marketing can involve individuals outside of the domestic population, the Impact Assessment 
is limited to the UK. The same limitation is applied to organisations and other affected groups. 
26 ONS (2021) Mid-Year Population Estimates 
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less likely to affect different groups of people, qualitative commentary is 
provided. 


1.4.2. Organisations and individuals who are engaged in direct marketing 


These are the organisations that process personal data for direct marketing 
purposes. It includes both those whose main purpose is direct marketing (eg 
direct marketing agencies) as well as those who are engaged in direct marketing 
to support their main activities. 


The ICO data protection register has 17,404 individuals or organisations 
registered under marketing, which could provide a conservative lower-end 
estimate of those whose main purpose is marketing.” 


More generally, it is not possible to state precisely which organisations the 
guidance is relevant to. As such, we have made the simplifying assumption that 
to some extent the guidance is relevant to all organisations, which includes most 
businesses and charities, as well as some individuals such as sole proprietors. 
While it is less likely that public bodies engage in direct marketing there may 
also be occasions when the guidance is relevant to them. 


Although data does not exist to accurately describe all organisations, we have 
collected data on some key groups to provide an indicative quantitative 
estimate. The key organisation types and sources are listed in Table 2 below. 


Table 2: Affected organisations and sources 


Organisation type Coverage Source 

Businesses Registered and Business Population 
unregistered businesses Estimates, 202228 
and sole proprietors in the 
UK 

Public bodies All central and local Business Population 
government organisations Estimates, 2022 
in the UK 

Charities?? All those registered with Charity Commission, 


the charity regulators in Register of Charities for 
England and Wales, May 


27 ICO (May 2022), Analysis of the Data Protection Register 

28 BEIS (2022): Business Population Estimates. 

29 Note: there is potential for double counting of charities that are registered with charity regulators and also 
set up as limited companies, however, we don’t expect this to have a significant impact on the assessment 
given the very small proportion of organisations this represents. 
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the UK 2022.30 


Charity Commission for 


Northern Ireland, Register 
of Charities, May 202231 


Scottish Charity Regulator, 
Scottish Charity Register, 


May 2022 


Although this does not provide coverage of all potential relevant organisations 
(eg unregistered community groups), it does help to provide a reasonable and 
proportionate indication of the scale. The indicative estimate of the total number 
of organisations in these groups is 5.71 million.*2 The guidance is likely to be of 
most relevance to those processing personal data other than that of their 
employees. We estimate this to be 3.7 million organisations. 7? 


1.4.3. The Information Commissioner 


This is the regulator with primary responsibility for regulating the UK GDPR, the 
DPA 2018 and PECR. This includes investigating potential infringements of the 
underpinning legislation and using relevant enforcement powers as appropriate. 
The Commissioner will be affected as his office will need to provide advice, 
promote good practice and assess conformance with the law. 


1.4.4. Justice system 


The justice system could be affected, as a court or tribunal may take into 
consideration the guidance in any proceedings before it to the extent that it 
appears relevant to the questions it is required to determine. 


1.4.5. Wider society and third parties not engaged in or impacted directly 
by direct marketing 


It is not possible to quantify this affected group but is likely to include the whole 
of wider society, given the reach of direct marketing activity. 


30 Charity Commission (2022), available at: https: 
data/charities-by-income-band, accessed 2"! May 2022 Charity Commission (2022), available at: 

https ://register-of-charities.charitycommission.gov.uk/sector-data/charities-by-income-band, accessed 2"! May 
2022. 

31 Charity Commission for Northern Ireland (2022): available at: 
https://www.charitycommissionni.org.uk/charity-search/?pageNumber=1, accessed 2"! May 2022 Charity 
Commission for Northern Ireland (2022): available at: https://www.charitycommissionni.org.uk/charity- 
search/?pageNumber=1, accessed 2™ May 2022. 

32 BEIS (2022) Business Population Estimates 

33 We calculate this figure using BEIS (2022) and DCMS (2020) Table 1. Estimates are for businesses which 
process or collect personal data from sources other than employees. - see Annex A for more detail. 
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1.5. Approach to the impact assessment 


We have assessed the impacts using cost-benefit analysis, which aims to identify 
the full range of impacts of the guidance. However it should be noted that it is 
not practical nor necessary for the purpose of this impact assessment to 
undertake a forensic analysis of all of the guidance’s implications. The approach 
used in this assessment is based on that of the impact assessment for the Age 
Appropriate Design Code, data sharing code and the draft journalism code** and 
follows the principles set out in HMT Green Book®” and Regulatory Impact 
Assessment guidance. °° 


In identifying the potential impacts of the guidance it is important to distinguish 
between: 


e incremental impacts - these are impacts that can be attributed to the 
guidance itself; 


e impacts of the requirements of section 122 of the DPA 2018 - as the 
original rationale for the guidance; and 


e impacts of requirements of the UK GDPR, the DPA 2018 and PECR - these 
are not incremental to the guidance because organisations are expected 
to be compliant with these requirements already. 


It is not always possible to categorise impacts distinctly, but our assessment 
focuses on the incremental impacts of the guidance. These incremental impacts 
may be direct or indirect: 37 


e Direct impacts: these are ‘first round’ impacts that are generally 
immediate and unavoidable with relatively few steps in the chain of logic 
between the introduction of the measure and the impact taking place. 


e Indirect impacts: these are ‘second round’ impacts that are often the 
result of changes in behaviour or reallocations of resources following the 
immediate impact of the introduction of the measure. 


Accordingly, our assessment is split into two main parts considering the 
guidance’s direct and indirect incremental impacts. 


34 ICO (2021): https://i i 

assessment-202110.pdf; ICO (2021): https://ico.org.uk/media/2619796/ds-code-impact-assessment- 
202105.pdf; ICO (2020): https://ico.org.uk/media/about-the-ico/documents/2617988/aadc-impact- 

assessment-vi 3.pdf. 

35 HM Treasury (2022): https://www.gov.uk/government/publications/the-green-book-appraisal-and- 

evaluation-in-central-governent. 

36 BEIS (2019): 

https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/776507/B 

usines Impact Target Statutory Guidance January 2019.pdf. 

37 Further discussion of direct and indirect impacts can be found in found in: Regulatory Policy Committee, RPC 

case histories - direct and indirect impacts (2019). 
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To assess direct impacts, we have focused on key parts of the guidance that 
may impact any of the affected groups. We present each element in turn and 
consider, overall, how likely it is that there would be an incremental impact. We 
then consider the potential indirect impacts as a whole and how likely it is there 
would be an incremental impact. 


In line with Green Book guidance,*® we've have sought to identify any 
distributional impacts. These are impacts that differ for individuals depending on 
their characteristics (eg income level or geographical location). As stated in the 
Green Book, it is not proportionate to calculate all distributional effects but were 
possible we provide qualitative commentary on impacts that may 
disproportionately affect certain groups. 


The evidence base primarily constitutes desk-based research, responses to the 
call for evidence and consultation on the draft code and previous ICO impact 
assessment analysis. 


The original rationale for the guidance was s122 DPA 2018 as it was initially 
developed as a code. As the code was mandated by Parliament in s122 DPA 
2018, the Commissioner did not have an option to consider alternative action or 
regulatory intervention. For this reason, this assessment does not consider 
alternative options. It is simply an appraisal of the introduction of the guidance 
against the counterfactual explained below. 


1.5.1. Counterfactual 


The ‘counterfactual’ in an impact assessment is the baseline against which the 
incremental impacts of the introduction of a policy can be estimated. Absent the 
introduction of the guidance, the existing legislation including UK GDPR, DPA 
2018 and PECR would continue to apply and form the counterfactual for the 
purposes of this assessment. 


In line with impact assessment guidance,? the assessment assumes compliance 
both with existing legislation and guidance in the absence of specific evidence to 
suggest otherwise. This simplifies the assessment, but it is not intended to 
suggest that there is total compliance. If we did identify any specific lack of 
compliance, the guidance would help organisations to improve. 


The guidance does not impose any additional legal requirements, which limits 
the guidance’s incremental impacts over and above that of the counterfactual. 
This is discussed further in Section 2. 


38 HM Treasury (2022): https://www.gov.uk/government/publications/the-green-book-appraisal-and- 
evaluation-in-central-governent. 

3º BEIS (2019): 

https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment data/file/776507/B 
usines Impact Target Statutory Guidance January 2019.pdf. 
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1.5.2. Quantification 


Quantified analysis of the impacts is particularly challenging for the guidance 
because of its wide ranging scope and the difficulty in quantifying the affected 
groups, as explained above. 


Calculating the incremental cost to organisations is also complex because the 
nature of these costs varies considerably depending on the different factors, for 
example: 


e how sophisticated and mature the organisation’s existing data protection 
and e-privacy systems and processes are; 

e the nature of the activities; 

e the processing associated with those activities; and 

e the level of risk to individuals. 
Due to their intangible nature, it is similarly challenging to quantify many of the 
guidance’s benefits, such as: 

e reductions in harm; 

e increased organisation understanding; or 

e increased trust amongst the public. 
Our analysis therefore focuses primarily on non-monetised impacts. However, 


where possible, we have provided high-level quantitative analysis to indicate 
scale. 
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2. Costs and benefits of the guidance 


In this section, we consider the potential costs and benefits of the guidance. Our 
aim is to understand whether there are likely to be significant impacts on 
affected groups (both positive and negative) and to judge the guidance’s overall 
impact on society. 


We draw on a mixture of quantitative and qualitative evidence but, as noted 
above, our analysis is limited by the evidence available. The analysis of effects is 
split into direct and indirect impacts as set out in Section 1.5.40 


Direct impacts are given the same weight as indirect impacts. The only 
distinction is that the indirect impacts are considered collectively because these 
are not sufficiently distinct to justify individual analysis. 


The impacts are assessed under the following headings which then feed into our 
conclusion on the guidance's overall impact on society: 


e Cost: a discussion of the related costs that could bring about significant 
impacts to affected groups. 


e Benefits: as with costs. 


e Categorisation of impact: our assessment of whether there is likely to 
be a significant net cost or benefit as well as the categorisation of the 
impact (ie are the impacts incremental?). 


2.1. Direct costs and benefits of the guidance 


We identify and analyse direct impacts of the guidance in the form of 
familiarisation with the guidance itself and the good practice examples and 
recommendations below. However, it is important to note at the outset that 
direct incremental costs of the guidance are limited in that many of the 
requirements set out in the guidance are part of existing legislation that 
organisations and those engaging in direct marketing activities are already 
obliged to abide by. 


2.1.1. Familiarisation 


Organisations are expected to familiarise themselves with the guidance, 
although the extent of familiarisation will differ by organisation. 


Further discussion on direct and indirect impacts can be found in: Regulatory Policy Committee, RPC case 
histories — direct and indirect impacts (2019). 
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Cost-benefit analysis 


Costs 


Organisations will incur a direct cost as a result of the introduction of the 
guidance because of the time taken to read and become familiar with it. These 
are referred to as familiarisation costs.?! It contains guidance for all 
organisations processing personal data for the purposes of direct marketing. 
However, it may not be necessary for all organisations to familiarise themselves 
with the whole guidance, particularly while it is guidance rather than a code of 
practice. For example, this may be the case for smaller organisations that 
undertake lower risk processing. 


The indicative familiarisation costs are estimated to be between £51.6 million to 
£75.1 million, using the information available on the advertising and marketing 
industry and the likely time taken to read it. However, this is only to indicate the 
scale of this impact. It is not possible to accurately estimate the number of 
organisations or individuals that would need to familiarise themselves with the 
guidance. 


It should also be noted that the guidance and materials produced will remain 
under review with the potential for further supplementary or issue specific 
guidance to lessen the load on organisations in terms of familiarisation costs. 
This means any estimates of the costs could be an overstatement at this point. 
There are further details of the method used to estimate familiarisation costs in 
Annex A. 


Benefits 
The direct benefits to organisations of becoming familiar with the guidance are 
that it: 

e helps them to understand their existing legal obligations under UK data 

protection law and PECR; 

e helps them to comply with these obligations effectively; 

e helps them win trust from individuals and clients; 

e reduces the potential harm to individuals; and 


e increases confidence to process data responsibly (discussed further under 
indirect costs and benefits in section 2.22.2). 


Categorisation of impact 


The original rationale for the guidance was in meeting s122 DPA 2018 to 
produce a code and the intention is still for the guidance to form the basis for a 


41 For guidance on familiarisation costs, see: BEIS (2019): 
https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/776507/B 
usines Impact Target Statutory Guidance January 2019.pdf. 
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code. The impacts associated with familiarisation are a result of the production 
of the guidance itself which in turn is a result of the requirements of s122 DPA 
2018. As the guidance provides good practice as well as practical guidance, it 
could be said that s122 of DPA 2018 enables some judgement about the scope 
and length. However, as s122 is explicit in requiring the Commissioner to 
provide practical guidance on legislation as well as good practice guidance such 
that the Commissioner considers appropriate, this provides a broad scope for the 
guidance. Although there is some discretion implied in s122 of DPA 2018, it does 
not necessarily follow that discretion implies incrementality. A similar 
assessment was also made for the impacts of familiarisation of the Age- 
Appropriate Design Code*?, data sharing code? and draft journalism code.** 


While the assessment acknowledges that the issue of attribution here is 
complex, it is assumed that even where elements of the guidance could be 
deemed incremental, these are limited and likely to be balanced by the benefits 
to organisations in terms of regulatory certainty and greater ease in complying 
with legislation, particularly when taken in aggregate. 


The impacts of familiarisation associated with the guidance are therefore 
considered to be an inevitable consequence and therefore an impact of s122 of 
the DPA 2018. 


2.1.2. Specific elements of the guidance 


We have outlined the key parts of the guidance below. We then assessed the 
potential for incremental costs or benefits to organisations and other affected 
groups. 


Identifying direct marketing 


The first step for organisations is to consider if what they want to do is direct 
marketing. This is important so that all the relevant rules can be followed. The 
guidance explains how the law defines direct marketing. It also makes clear that 
direct marketing is wider than simply sending direct marketing messages and 
can also include the activities that lead up to, enable or support such sending. 


The guidance also provides good practice advice to help organisations decide if 
what they want to do is direct marketing. If what an organisation wants to do is 
not direct marketing then the guidance does not apply to them. 


42 ICO (2021): https://ico.org.uk/media/about-the-ico/documents/4018652/draft-economic-impact- 
assessment-202110.pdf. 

43 ICO (2021): https://ico.org.uk/media/2619796/ds-code-impact-assessment-202105.pdf 

44 ICO (2020): https://ico.org.uk/media/about-the-ico/documents/2617988/aadc-impact-assessment-v1_3.pdf 
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Planning direct marketing 


A key area of the guidance is that organisations plan their direct marketing 
before they start. This includes taking into account what type of information they 
want to use and what direct marketing activity they want to use it for. 


Not planning properly can cause negative impacts to the organisation, such as 
non-compliance which harms their reputation or leads to enforcement action. It 
can also cause negative impacts to people, for example they receive nuisance or 
unwanted direct marketing. All of which can be prevented if organisations take 
time to plan their direct marketing. 


The guidance provides help to organisations to work through the things they 
must consider when planning their direct marketing as well as good practice. 


Collecting contact details 


The guidance covers how to collect contact details and generate leads for direct 
marketing. It reminds organisations that people must be told that they want to 
use personal data for direct marketing. It also provides guidance on what 
organisations need to consider if they want to get people’s information from 
other sources or create new information on people based on what they think 
they know about that person. 


Practical advice is also provided to organisations on what they could consider to 
ensure their compliance before they buy information to use for direct marketing 
from other sources. 


Respecting people’s preferences 


The guidance contains practice advice to help support people's rights and 
preferences in regard to direct marketing. 


It promotes the use of suppression lists as a way that organisations can ensure 
that they continue to respect the wishes of those people who don’t want their 
information used for direct marketing. 


Cost-benefit analysis 


Costs 


The key elements of the guidance set out above are not additional obligations or 
impositions over and above existing legislation and what would be required 
generally to comply effectively with the legislation. The guidance is not overly 
prescriptive and it is clear where there are steps or considerations that may be 
helpful. The guidance also takes steps to make it clear what is a legal 
requirement and what is good practice. 


Where organisations perceive that there are additional obligations or burdens, it 
is likely that there were existing issues with compliance. In these limited 
instances, organisations may need to implement additional measures or restrict 
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activities. However, the costs of these will be significantly outweighed by the 
benefits of improved compliance both to the organisations themselves and also 
to wider society. This impact is to some extent an implicit and inevitable aspect 
of the guidance’s function because it exists to improve compliance. 


Benefits 


The greater clarity provided by the guidance is likely to benefit organisations 
through increased regulatory certainty and efficiency. This in turn is likely to 
reduce some of the costs associated with compliance or non-compliance. For 
example, better compliance may reduce costs incurred through legal challenges. 


The specific parts of the guidance we have highlighted should also help the ICO 
to review compliance and investigate where necessary. 


Categorisation of impacts 


The original rationale for the guidance was in meeting s122 DPA 2018 to 
produce a code and the intention is still for the guidance to form the basis for a 
code. The impacts described above are a result of the statutory requirement 
within section 122 of DPA 2018. We are required to develop a code that supports 
the understanding of the legislation and good practice when personal data is 
processed for direct marketing. Therefore, the potential for incremental impacts 
is limited and the direct impacts of the guidance are assessed as neutral. 


2.2. Indirect costs and benefits of the guidance 


2.2.1. Costs 


Although it is not possible to rule out indirect costs, it is difficult to identify any 
that are likely to bring about significant indirect impacts that are incremental to 
the guidance. 


Additional restrictions or burdens (perceived or actual) could change the way 
some direct marketing activity is conducted and reduce some of the higher risk 
types of activity which could have knock-on effects for parts of the economy that 
rely on it. However, we do not consider that the guidance places any significant 
restrictions (or indeed freedoms) that go over and above existing legislation and 
what would generally be reasonable to comply effectively. As such, there is no 
substantive evidence of indirect costs. 


2.2.2. Benefits 

The indirect benefits of the guidance are primarily that it is likely to increase 
confidence and regulatory certainty. In turn, increased compliance is likely to 
lead to a reduction in the risk of harm to individuals when personal data is used 
for direct marketing. 
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Increased confidence 


There is a high degree of uncertainty around impacts related to increased 
confidence. It is not possible to make a robust estimate of how incremental 
these impacts are. 


The guidance will provide greater regulatory certainty and clarity because it is 
tailored specifically to the context of direct marketing. It is therefore likely to 
increase confidence within the industry generally. This will support those 
processing personal data for the purposes of direct marketing, particularly in 
circumstances where there may be more uncertainty about how to balance the 
benefits of efficient direct marketing and privacy rights. 


Increased accountability may result in higher public trust levels. This may reduce 
chilling effects where people avoid engagement with products and services 
through fear of harm. This is particularly relevant to those with less knowledge 
of data protection issues or harder-to-reach individuals and groups. Direct 
marketing, and its associated benefits, rely on engagement and the willingness 
of individuals to share personal data that enables marketing to be targeted 
appropriately. 


Increased regulatory certainty and confidence may result in more consistent 
understanding and application of the law across organisations. The guidance is a 
free-to-use resource by the data protection regulator that is tailored specifically 
to this sector’s needs. This includes guidance tailored specifically for smaller 
organisations. This may increase competition and may also support smaller 
organisations particularly to participate more fully. Additional confidence may 
also result in innovation and economic growth. 


Reduction of data protection harms related to direct marketing 


As illustrated in Section 11.1.3, data protection harms may occur when personal 
data is processed for the purposes of direct marketing. Although the harms 
presented do not necessarily point to specific areas of non-compliance, the 
examples provided do correlate to key principles of data protection law. 


The guidance is likely to contribute to reducing the risk and severity of the types 
of harms we have identified in this assessment and, where relevant, would serve 
to reduce negative distributional impacts. Even a small contribution to 
minimising harms would be helpful, in view of the potentially widespread 
damaging consequences for individuals. 


The guidance encourages organisations to demonstrate accountability 
throughout, which is a key data protection principle introduced by the UK GDPR. 
There are benefits to putting in place appropriate, risk-based data protection 
measures and being able to demonstrate this. These are that organisations 
manage risks and harms associated with the processing of personal data. In 
turn, this increases confidence, both within and outside the industry. 
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Categorisation of impact 


The guidance is likely to offer significant indirect benefits to society. This is 
because it is likely to provide greater regulatory certainty, increase confidence, 
and reduce harms. These beneficial impacts are judged to be incremental to the 
guidance. 


However, it is difficult to draw firm conclusions about the likelihood and scale of 
the guidance’s indirect benefits. This is because the indirect impacts are often 
intangible, vary according to the circumstances and depend on behaviour 
change. 


2.3. Overall assessment of direct and indirect impacts 


The direct and indirect costs identified in this assessment are generally judged 
not to be incremental. This is primarily because of the terms of the statutory 
requirement to produce the guidance and the need for organisations to comply 
with the legislation. 


It is difficult to quantify evidence on costs. However, there is limited potential for 
incremental costs, in view of the legislative background to the guidance and the 
steps taken by the ICO to produce it. This also means there is limited potential 
for distributional impacts, although it is not possible to confirm this with the 
available evidence. 


We consider that the guidance is likely to have some significant indirect 
incremental beneficial impacts. This is due to increased regulatory certainty, 
confidence and reducing the risk and severity of harms in the context of data 
protection and direct marketing. However, it is difficult to draw firm conclusions 
about the likelihood and scale of these benefits, which largely depend on 
behaviour change. 


Overall, any costs associated with the guidance are considered to be significantly 
outweighed by the incremental societal benefits that the guidance may produce. 

These benefits align well with specific policies and complement existing industry 

codes. 
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Annex A: estimating familiarisation costs 


This annex sets out the approach taken to estimating familiarisation costs for the 
guidance. A similar approach was taken for the impacts of familiarisation of the 
Age-Appropriate Design Code, data sharing code and draft journalism code.*° 


As part of developing the guidance, the ICO sought to ensure maximum clarity 
and readability while still providing the necessary information. In addition to the 
core guidance, guidance for small and medium enterprises (SMEs) was 
developed to make the guidance more accessible to this audience. 


Cost of reading the guidance 


The familiarisation costs have been estimated in line with government guidance. 
This includes best practice on estimating reading time and implementation costs 
for organisations.*® *” The reading time for each document is estimated using 
the word count, a measure for how easy it is to read each piece of guidance and 
the average words per minute that can be assumed for different levels of 
reading ease from government guidance.*® This is provided in Table 3 below. 


Table 3: Estimated reading time for direct marketing guidance 


Estimated 

Fleisch Assumed reading 

Element of Word reading words per time 

guidance count ease score minute (hr:min) 

Direct marketing 19,453 48.6 75 4:19 
Guidance 

Small and Medium 1,516 57.6 100 0:15 


Enterprise guide to 
direct marketing 


Source: BEIS Business Impact Target Appraisal of Guidance, ICO analysis. 


45 ICO (2021): https://ico.org.uk/media/about-the-ico/documents/4018652/draft-economic-impact- 
assessment-202110.pdf; ICO (2021): https://ico.org.uk/media/2619796/ds-code-impact-assessment- 
202105.pdf; ICO (2020): https://ico.org.uk/media/about-the-ico/documents/2617988/aadc-impact- 
assessment-vi 3.pdf. 

46 BEIS (2019): 

https://assets. publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/776507/B 
usines Impact Target Statutory Guidance January 2019.pdf. 

47 Regulatory Policy Committee (2019): 
https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment data/file/827926/R 
PC short guidance note - Implementation costs August 2019.pdf. 

48 BEIS (2019): 

https://assets. publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/776507/B 
usines Impact Target Statutory Guidance January 2019.pdf. 
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The impact of familiarisation on organisations can be monetised using data on 
wages from the ONS Annual Survey of Hours and Earnings (ASHE).*? Assuming 
that the relevant ‘occupational group’ is ‘managers, directors and senior 
officials’, median hourly earnings (excluding overtime) for this group is £22.01. 


This hourly cost is uprated for non-wage costs using the latest figures from 
Eurostat and in line with Regulatory Policy Committee guidance,°° resulting in an 
uplift of 22% and an hourly cost of £26.84. We then use this hourly cost and the 
simplifying assumption of one person being responsible for familiarisation in 
each organisation?! to estimate a cost for reading each document. 


Table 4: Estimated cost of reading the guidance 


Element of guidance Estimated cost of reading 
Direct marketing guidance £116.00 
Small and Medium Enterprise (SME) guide £6.80 


to direct marketing 


Source: ICO Analysis; RPC 2019 Guidance on Implementation Costs. *cost rounded to nearest £0.10. 


Organisations or individuals in scope 


The organisations covered in the analysis of familiarisation costs are mainly 
businesses and charities but it may also be applicable to some public sector 
organisations. 


The Department for Business, Energy and Industrial Strategy (BEIS) Business 
Population Estimates states that there are 5.71 million organisations in the UK 
economy.º2 The assessment uses the make-up of these by size and sector to 
inform exposure to direct marketing. The organisations that make up this total 
are shown in Table 5 below. 


Table 5: Organisations by organisation type 


Organisation type Number of organisations (millions) 


Private sector organisations 5.51 


49 ONS (2022): Annual Survey of Hours and Earnings, table 10_SOC10 and Eurostat (2022): 
https://ec.europa.eu/eurostat/statistics-explained/index.php/Hourly labour costs. 

5° Regulatory Policy Committee (2019): 

https://assets. publishing.service.gov.uk/government/uploads/system/uploads/attachment data/file/827926/R 
PC short guidance note - Implementation costs August 2019.pdf. 

51 While there may be one individual responsible for understanding the guidance for multiple organisations or 
multiple individuals in one organisation, the absence of data makes a precise estimate overly cumbersome to 
come by, this simplifying assumption is therefore deemed appropriate. 

52 BEIS (2022): https://www.gov.uk/government/statistics/business-population-estimates-2022. 
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Charities 0.19 
Public sector organisations 0.01 
Total 571 


Source: BEIS (2022): https://www.gov.uk/government/statistics/business-population-estimates-2022, ICO 
analysis. 


We make broad assumptions about which document and how much of each 
document a typical organisation would be expected to read based on likely 
exposure to direct marketing privacy risks. These assumptions provide us with 
an indicative average of familiarisation costs. This is intended to be indicative 
and we recognise that within these broad groups, organisations will have specific 
needs and therefore read more or less of this guidance. To reflect the 
uncertainty, we have provided two scenarios to give an upper and lower end 
estimate of the likely familiarisation costs. Table 6 below shows the guidance 
assumed for each risk category in each scenario. 


Table 6: Assumed guidance read by each privacy risk exposure category by 
scenario 


Risk Estimated cost 
Scenario exposure Relevant guidance per organisation 
High Direct marketing guidance £116.00 
Lower-end Medium SME guide to direct marketing £6.80 
Low SME guide to direct marketing £6.80 
High Direct marketing guidance £116.00 
Higher-end Medium Halfway between high and low £61.40 
Low SME guide to direct marketing £6.80 


Source: ICO analysis. 


Private sector organisations 


There are 5.5 million private sector organisations in the UK.°? As well as for 
profit firms, this groups includes some charities, community groups and social 
enterprises who have registered as businesses with Companies House. 


53 BEIS (2022): https://www.gov.uk/government/statistics/business-population-estimates-2022 
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As illustrated in Table 7 below, the proportions of UK businesses that process or 
collect personal data from sources other than employees varies by business size. 


Table 7: Businesses which hold personal data other than employee data 


Business size (number of Percentage of businesses 
employees) 


Sole trader (zero employees) 63% 
Micro and small (1 to 49 employees) 64% 
Medium (50 to 249 employees) 79% 
Large (250+ employees) 92% 


Source: DCMS Business Data Survey 2022, ICO analysis. 


Applying the proportions from Table 7 to the 5.5 million private sector 
organisations in the UK by size, results in an estimated total of 3.5 million 
private sector organisations that hold personal data other than employee data. 
This adjustment was not applied to charities or public sector organisations as 
there is no data available on them specifically. 


For the purpose of this analysis, we make the simplifying assumptions below. It 
should be noted that this will not apply to each and every organisation described 
below and is only to help simplify our analysis. 


e Businesses that do not process or collect personal data are not able to 
engage in direct marketing. 


e Due to their size and relative lack of labour, sole traders would engage 
exclusively with SME guide to direct marketing. For all other businesses, 
exposure to privacy risks from direct marketing will determine the extent 
of engagement with the materials. 


We determine sectoral risk as set out in Table 8. 


Table 8: Private sector exposure to direct marketing privacy risks by sector 


Sector Risk exposure Justification 

Agriculture, Low Mostly business-to-business 

Forestry and marketing so unlikely to involve much 
Fishing personal data 

Mining and Medium Mostly business-to-business 
Quarrying; marketing so unlikely to involve much 


personal data in mining and 
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Utilities 


Manufacturing 


Construction 


Wholesale and 
Retail Trade 
including auto- 
repair 


Transportation 
and Storage 


Accommodation 
and Food 
Service 
Activities 


Information 
and 
Communication 


Financial and 
Insurance 
Activities 


Real Estate 
Activities 


Professional, 
Scientific and 
Technical 
Activities 


Administrative 
and Support 
Service 
Activities 


Low 


Low 


Medium 


Medium 


Medium 


Medium 


High 


High 


High 


Low 


quarrying; utilities likely to hold 
personal data 


Higher proportion of business-to- 
business marketing so likely to 
involve less personal data 


Mostly business-to-business 
marketing so unlikely to involve much 
personal data 


Likely to hold some personal data and 
engage in direct marketing although 
more likely to be involved in business- 
to-business marketing 


Likely to hold some personal data and 
engage in marketing but less likely to 
include highly sensitive data. 


Likely to hold some personal data and 
engage in direct marketing but less 
likely to include highly sensitive data. 


Likely to hold large amounts of 
personal data 


Likely to hold and use large amounts 
of personal data for direct marketing 


Likely to hold and use large amounts 
of personal data for direct marketing 


Sector includes marketing and 
advertising agencies who are likely to 
hold and use large amounts of 
personal data for direct marketing 


Mostly business-to-business 
marketing so unlikely to involve much 
personal data 
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Education Medium Likely to hold personal data. Some 
organisations are likely to regularly 
engage in direct marketing, for 
example universities asking alumni for 


donations. 
Human Health High Private sector likely to hold and use 
and Social large amounts of personal data for 
Work Activities direct marketing 
Arts, High Likely to hold and use large amounts 
Entertainment of personal data for direct marketing 
and Recreation 
Other Service Medium Unknown, mid-point assumed 


Activities 


Source: ICO analysis. The risk exposure is based on professional judgement. 


Charities 


We believe that direct marketing plays a significant role for charities in terms of 
income generation.°* We assume that charities with higher incomes are more 
likely to need to engage with more of our guidance. 


Table 9: Charity sector exposure to direct marketing privacy risks by sector 


Annual income band 
£0 to £100,000 
£100,000 to £500,000 


£500,000 and over 


Risk exposure 
Low 
Medium 


High 


Source: ICO analysis. The risk exposure is based on professional judgement. 


Public sector organisations 


We believe, in general, public sector organisations are less likely to extensively 
engage in direct marketing. We have assumed that larger organisations are 
more likely to market their commercial services alongside their primary functions 


and assigned exposure accordingly. 


54 Charity Commission, available at: https://register-of-charities.charitycommission.gov.uk/sector- 


data/charities-by-income-band, accessed 2™ May 2022 
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Table 10: Public sector exposure to direct marketing privacy risks by sector 


Number of employees Risk exposure 
0 - 499 Low 
500 + Medium 


Source: ICO Analysis. The risk exposure is based on professional judgement. 


Organisations in scope 


After excluding businesses that do not hold personal data other than that of their 
employees, and applying the exposure to direct marketing, we arrive at the 
estimates of organisations in scope by exposure level in Table 11 below. 


Table 11: Organisations in scope 


Number of organisations in scope (millions) 


Risk exposure High Medium Low 
Private 0.23 0.40 2.86 
Charity 0.01 0.02 0.15 
Public Sector z 0.00 0.01 
Total 0.24 0.43 3.02 
Source: ICO Analysis. 
Estimated familiarisation cost 
After categorising each type of organisation by their privacy risk exposure 
category, we grouped them together and applied the appropriate familiarisation 
cost per organisation as detailed above. In summary, we believe that the 
familiarisation cost to the UK economy to be between £51.6 million and £75.1 
million. 
Table 12: Lower end estimate of familiarisation costs 
Organisations Estimated cost Total cost 
Risk exposure (millions) per organisation (millions) 
High 0.24 £116.00 £28.2 
Medium 0.43 £6.80 £2.9 
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Total 


3.49 


0.19 


0.01 


3.70 
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Low 


Total 


Source: ICO Analysis. 


3.02 


3:70 


£6.80 


£14.00 


Table 13: Upper end estimate of familiarisation costs 


Risk 
exposure 


High 
Medium 
Low 


Total 


Source: ICO Analysis. 


Organisations 
(millions) 


0.24 
0.43 
3.02 


3.70 


Estimated cost 
per organisation 


£116.00 
£61.40 
£6.80 


£20.30 


£20.5 


£51.6 


Total cost 
(millions) 


£28.2 
£26.4 
£20.5 


E75:1 
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